This Time It's Starwood
These days, data breaches are so common that they must be large and meaningful to capture your attention. The recent hack against Marriott International qualifies. As many as half a billion customers may be affected, making the Marriott hack the second largest ever in terms of exposed records.
The breach began in 2014, affecting the Starwood guest reservation database. Starwood properties include the Sheraton, Westin, W, St. Regis, and Le Meridien chains – many of which cater to the high-end market. Marriott acquired Starwood in 2016 but didn't detect the breach until November 2018.
Exposed personal information for up to 327 million guests includes their name, address, e-mail address, phone number, passport number, birthdate, and other hotel-specific information like arrival/departure/reservation times and preferred guest account information. Payment card information may also be compromised with an undetermined number of guests.
Marriott has set up a dedicated call center and webpage to help affected customers and is notifying potential victims by e-mail.
Maybe you aren't affected by the Starwood breach, but you're almost certain to be affected by a corporate data breach at some point – if you haven't been affected already. According to a 2018 Harris poll, almost sixty million Americans have experienced identity theft at least once.
Follow the Money
Why are data breaches inevitable? It's like the famous line about why people rob banks – "Because that's where the money is."
Identity theft is lucrative, and entry costs are lower than ever. Drawn by the gains from stolen personal information, identity thieves have established a supply chain of sorts. Criminals with lesser skills can buy kits that allow them to engage in their own mini-hacks – or they can just buy a package of identities straightaway. They establish false accounts and rack up huge bills before customers realize their identity is compromised.
Recent advances in credit card fraud and identity theft protection are one step behind. EMV ("chip") cards, Apple Pay, and other advances beyond the magnetic stripe have helped cut down on traditional credit card counterfeiting and point-of-sale fraud – but these methods don't address online credit card fraud or personal information stolen through a hacked database.
Hacks will increase as more identity thieves appear and more commerce shifts to online sales. You can't prevent hacks since you don't have control over customer databases, but you can control how much of your information that database holds.
Be Both Proactive and Reactive
Have you already been unknowingly affected by a breach? Check all your credit card statements and bank accounts regularly – not just at the end of the month. If you don't have time to properly monitor accounts, consider credit-monitoring services to immediately alert you to suspicious account activity. If you would like to monitor your credit to prevent identity theft and see your credit reports and scores, join MoneyTips.
Check your credit report for any signs of fraudulent charges or unknown accounts. Dispute even small charges that are incorrect – criminals may make a small purchase just to see if you're paying attention.
Assuming your credit report is clean, focus on your prevention strategy.
Apply credit freezes to your credit reports with all three major credit reporting agencies (Experian, Equifax, and TransUnion). Identity thieves will have trouble opening credit accounts in your name even if they do get your hacked information. You'll need to remove the freeze to apply for legitimate credit in your name, but credit freezes and thaws are free and easy to apply.
Don't take personal shortcuts like allowing your computer (or websites) to store more personal information than is necessary. It's a hassle to type your credit card number in every time, but that practice leaves criminals fewer access points to your information. Sites may not give you a choice, and in that case, you have to weigh the risk of an information breach with the benefits of doing business with that organization.
When it's available, use two-factor authentication that sends a confirming code via e-mail or text. Entering the code verifies that it's really you making the transaction.
Remember that large database hacks are not the only way identity thieves can get your information. Protect your personal devices with regular system updates, anti-virus software, and strong passwords. Shred any documents containing personal information before throwing them away.
In short, assume your data has already been compromised but take preventative steps anyway. We offer some simple identity theft protection steps to get you started.
Information breaches are inevitable. Fraudulent use of your accounts is not.
Use a three-pronged strategy to protect yourself against identity theft losses – protect your personal information, store your information with as few third parties as possible, and make it hard for thieves to profit from your information if they do steal it.
If you're affected by a data breach, check with the hacked organization for any steps or remedies that are specific to that breach and act immediately. Change passwords at a bare minimum. Check all accounts regularly and address any fraudulent transactions or accounts with the credit card issuer or bank involved. File a police report and a complaint with the Federal Trade Commission in case of losses.
You might not be able to stop identity theft, but you can take steps to reduce the odds that criminals will steal your personal information and/or drain your resources. Make their lives difficult and they'll likely move on to easier targets.
Protect your credit – protect your identity – protect yourself with a free MoneyTips trial.